Verifica lo siguiente: Services -> DHCP Server: Check you vlan dhcp ranges. Example: If you have vlan10 192.168.10.0/24, your address pool range 192.168.10.10-192.168.10.254 Check the vlan untaged ports in you switch. Example: if you port 3 apear untaged in vlan10, and your pc conected to this port have a manual ip 192.168.20.3 <-- this is the error, put the pc on dhcp or configure manual ip 192.168.10.3. but i need mor informations, vlans and ranges.

Greetings All, Thanks for your help. It thawed out my brain freeze. Your help got me on the right track and I'm now good to go. Thanks

@CharlesT This worked for me with the correction described by @keyser. Thanks so much for describing this!

@McMurphy Well, its common to configure the native lan with eg jumbo frames ~9000 and then specify smaller mtu for vlans. 1504 is common to support native 1500 mtu on pppoe. I suppose the interface is not in passthrough to pf, just bridges. I can't say how xen exaclty handles this, but in kvm is as above.

You can clone the current BE (or use quick create) and boot into it. Then default the config in that new BE add back only the minimum config. You can always boot back into any other BE.

It's probably the VLAN setting propergating to the parent NICs and then getting applied to all VLANs on it. You can usually work around that by explicitly setting an MTU value on the parent interface first. But you may need to temporarily remove the lower MTU on the VLAN to do so.

@root0day8004 if you search the forum 'bridge vlan' you'll find a few posts about that. The TL;DR: put VLANs onto the interface first, then bridge the interfaces. But: avoid bridges whenever possible, the performance will take a hit. Buy a cheap switch.

@publictoiletbowl said in transparent bridge: You want to snort on your WAN (ISP1 & ISP2) interfaces but let the 3rd party router do all other tasks. Transparent bridging does work, see in the Netgate documentation. Not sure about the performance penalty of it, what upstream speed to you get from your ISPs? https://docs.netgate.com/pfsense/en/latest/bridges/index.html#internal-external-bridges The 3rd party router will get the public IPs from ISP1 and ISP2 and you will want to setup one of the other interfaces as admin interfaces to be able to access the pfSense.

You have a strange setup. First off, I have never worked with MicroTik, so if they do something weird, I can't help with that. My experience with QinQ is with a telecom company providing a connection to a customer over fibre. Since fibre has so much bandwidth, it's usually split before reaching the customer. The first method it to use different wavelengths, with an optical filter located near the customer. Then QinQ (C tag)¹ is used to separate different customers. Depending on the connection, the 2nd VLAN (S tag) can be used to further subdivide the bandwidth or passed on to the customer. In the jobs I worked on, there was a media converter to convert between fibre and Ethernet and used the 2nd VLAN to connect it to a Cisco router, which then provided IP over Ethernet to the customer. So, I'm surprised you'd have QinQ on the WAN. As for MTU that's determined by whatever the interface is configured for. As I mentioned earlier, VLAN tags do not affect that, since they're ahead of the Ethertype field. On my own network, while I can set the MTU on the native LAN, I can't on the VLAN. It just follows whatever the native LAN provides. I also checked adding a VLAN and found I can only add them to an interface, not on top of another VLAN. You found similar with the bridge. It's just not something pfSense can do, as far as I can tell. As for connecting the VLANs between sites, that's normally done by routing the subnets, through a VPN if necessary. Do you actually have Ethernet between sites? Or just IP? If Ethernet, do you have something like MPLS to carry it? Is there anyone else here who knows MicroTik? C tag = carrier level VLAN S tag = subscriber level VLAN.

@yctn me neither, but they mention it some at https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#mbuf-exhaustion 2.7.2 is over 2 years old, why not try a later version?

@eagledtony Most will have troubles reading what you've just wrote. Your Enter key seams to be broken also ( ^^ ). As no details (images) are available, so only some general advise : If you can, remove all 'VLAN' setup, go bare bone classic "VLAN 0" or no VLAN no where. This makes the setup simpler .... and issue start to vanish fast. If an issue arrives 'suddenly' then the last think you want to do is 'upgrading'. Upgrading will not (can not) resolve sudden local issues, but can create new issues. So, first, resolve the issue, which can be as simple as : Save the current pfSense config. Now get a config from 'before 2 weeks'. Issue solved : go question the pfSense admin, torture him if needed, and you will get to the bottom of things. The 'diff' between the current and 2 weeks old config will tell you what changed. Issue not solved : get the current config back and now you'll be sure : the issue isn't pfSense related. Go have a talk with the other (VLAN) stuff, and do question the "admin" gain. edit : Your pfSense has a config history : [image: 1770288431925-99464f43-9690-4b60-ba2f-740cb54e5dc3-image.png]

Edit: I just found this draft waiting for me to post. Sorry for not sharing earlier. Solution for anyone following at home. Credit goes to ChatGPT. I am not sure why the vlanif line was missing; this was all made in the web GUI. All I can think of was this was made on version 23.01 or 23.05. ChatGPT said this became a requirement in 24.X but I had this issue while still on 23.X. --- /conf/config.xml 2025-03-23 22:02:52.977293000 +1100 +++ config.xml 2025-03-23 22:02:14.882342000 +1100 @@ -325,7 +325,6 @@ <tag>99</tag> <pcp>0</pcp> <descr><![CDATA[BackupWAN]]></descr> - <vlanif>mvneta1.99</vlanif> </vlan> </vlans> <staticroutes></staticroutes>

@johnpoz I've done some more investigation and found some weird behavior. Let me explain: These are the details I brought up the PFSENSE Web gui I navigate to "System>Advanced>System Tunables>+New" In the Tunable Field I enter: dev.ix.1.advertise_speed In the Value Field I enter: 16 In the Description Field I enter: 2.5GB I then hit save and reboot my pfsense box After pfsense comes up and from the Welcome Screen I Select "Option 8" I then enter the following SYSCTL Command: "sysctl dev.ix.1.advertise_speed" The Response is "sysctl dev.ix.1.advertise_speed: 7" This tells me my tunable did not take effect after the Boot. Now I navigate to "System>Advanced>system Tunables>" and "EDIT" the tunable I created above and click "SAVE" without changing anything. I then go back to the welcome gui and select "Option 8" Again I then enter the following SYSCTL Command: "sysctl dev.ix.1.advertise_speed" The Response is "sysctl dev.ix.1.advertise_speed: 10" Which is the Decimal equivalent of 16 Now I go To my switch and the Lan Port on the switch is now running at 2.5gb. It is my understanding that placing a tunable in "System>Advanced>System Tunables>" should relieve me of having to open the tunable and pressing save. What do you think. Is this a bug or am I missing something?

If I remember correctly, you just use the drop down to select the new Network Port, but only make the change when connected to a different network. Mine looks like this now. [image: 1768967119072-9e9ce812-7211-4592-b43f-9448abbcf1a0-image.png] Only difference is I moved to the 10Gb ports.

To maybe make life simpler in the future, avoid common subnets like 192.168.0.0, 1.0, 2.0. These are used by many things such as ISP routers. I went with .42.0, because it is the meaning of life, the universe and everything.

@luckman212 bingo! Thank you for so succinctly saying what I was fumbling around trying to say! Yes, primarily security. Google VLAN1 tons of articles and whatnot advising to turn it off for security reasons (primarily for large enterprise). Secondarily (especially at this point), is a little academic - I am kind of frustrated at myself for not figuring this out so would like to accomplish for my personal satisfaction (though I am busy like everyone else and don't want to be doing purely stupid things). I will look into the UniFi thing, their controller software is unusual but it does seem to allow configuring a default VLAN simply clicking on the default network in the controller software and entering the VLAN id however during hard reset it goes back to VLAN1 of course which could be issue if that becomes necessary. I think your "Secure Enough" strategy sounds more sensible given my limited experience (I did try to configure from another subnet but got locked out and required a reset of the router). I think I will try this first. Thank you for the out-of-da-box thinking!

@louis2 Why? Bridges bridge Interfaces. Vlans in pfsense are not interfaces. So yes, it takes a few more steps, but it works. And as a matter of fact is also performant. You can also try vxlan if you wish which is a new feature in pf plus.